UK business and the GDPR - data governance
Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state. Because this introduces a management overhead, it will be in the interest of businesses to minimise the data they collect in future, ensuring its accuracy
UK business and the GDPR- compliance
The GDPR has fuelled a small industry of legal and compliance practitioners who will help organisations through the pitfalls of compliance. However, organisations must always set up their own internal structures to cope with something as complex as the GDPR (see below).
UK business and the GDPR - privacy, consent and rights
Because the GDPR underlines the privacy of personal data, this must from now on be built into the way data is collected and managed, so-called 'privacy by design'. All data must be gathered with explicit rather than assumed consent and the right for data subjects to withdraw that communicated and explained as part of its lifecycle. In future there it won't be possible simply to accumulate and hold on to data because there is no policy for disposing of it.
UK business and the GDPR - 'right to be forgotten'
Probably the most contentious data protection ruling for years, in May 2014 the European Court of Justice ruled that search engines such as Google were data processors and that citizens had the right to ask that content referring to them be 'forgotten'. Although the case was part of the current data protection setup, the GDPR would define a more limited 'right to erasure'. Exactly what this will mean is still unclear and could depend on future rulings.
UK business and the GDPR - breach notification and reporting
Under the GDPR, organisations that believe they have suffered a breach with data protection implications will have 72 hours to report it to the local information commissioner from the point at which it is discovered (this might be reduced to 24 hours in future). Breaches of data protection (of which a full breach is only the most serious example) will result in fines of at least two percent of global turnover or 1 million Euros, whichever is greater. Exactly how compliance failures will be tired within these numbers has yet to be spelled out.
UK business and the GDPR - encryption as saviour?
One defence against mandatory breach notification will be where the data is unreadable or in an inaccessible state, which today means that it was encrypted. Where this is the case, notification will not be necessary. However, the sting in the tail is that this means encrypting all personal data not - as today- selected parts of it such as credit cards or social security numbers. The keys will also need to be protected.
Sign up for CIO Asia eNewsletters.